What do we do about BlueBorne?

BlueBorne is an attack leveraging Bluetooth connections to penetrate and take control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. According to Google it “could enable a proximate attacker to execute arbitrary code within the context of a privileged process.”

Threat/Attack Description:

The attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “discoverable” mode.

The attacker obtains the device’s MAC address, which is a unique identifier of that specific device.

By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly.

The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective.

The attacker can choose to

Create a Man-in-The-Middle attack and control the device’s communication, or

Attempt to compromise the device to take full control over the device.

How zIPS Helps

Risk Assessment: For both iOS and Android, zIPS can identify which mobile devices are in compliance with the latest OS versions and security patches.

Active Threat Detection:

Exploits Leveraging Bluetooth: zIPS can detect attacks that leverage BlueBorne to exploit devices directly. In these scenarios, zIPS monitors the system behavior and detects the effect of an attack regardless of its entry point (in this case Bluetooth). Once an attack is detected, zIPS notifies the security team with detailed forensics of the attack and will remediate the attack if permissions allow.